Malaysia Personal Data Protection Act 2010 – 7 Key Principles (Part 2) and where authority lies and the sectors must register. We also briefly touched upon the seven underlying principles of the act.
In the second part, we’re going to discuss those seven key principles in detail, which Malaysian businesses (referred to as data user) must be familiar with to ensure compliance:
7 PDPA 2010 Principles businesses must know
A data user must comply with the following seven Malaysian PDPA principles:
Under this principle, data users must not process personal data unless written consent has been given by the data subject. With that said, a data user is under no obligation to comply with the above requirement where data processing is needed for:
- Compliance with legal obligations to which the data user acts as a subject, apart from a contractual obligation
- Specific steps as per the data subject where entering into a new contract is required
- The assessment of contractual performance where the data subject acts as a party
- The administration of justice or legal notices
- Protection of vital interests, which namely includes matters about security, life, or death of the data subject
- Exercising any functions delegated to any concerned individual under any law.
Under PDPA 2010, the personal data of a data subject can only be processed when:
- It is done so for a lawful purpose which is directly related to the data user’s activity
- It is required for or directly related to the above purpose; and
- The data is sufficient and not excessively or implicitly required for the above purpose.
Notice and Choice Principle
Under the notice and choice principle, data users must inform a data subject of a variety of matters which may relate to the latter’s personal information which may need to be proceeded by or on behalf of the data user.
According to PDPA law, a data user must notify a data subject in writing under the following circumstances (in both Malay and English), when:
- The data subject’s personal data is being processed, along with a description of that data.
- The underlying purpose of the data which is being collected for processing
- Any information the data user currently has in regards to the source of the subject’s personal data
- The data subject requests access to the personal data for correction or updating.
- The contact information of the data user when any inquiries or complaints are raised
- The classification of 3rd parties with whom the personal data is shared
- The means and options are granted to the data subject to limit data processing to the desired purpose only.
- Whether it is compulsory or voluntary for data subjects to share personal data, and if it is obligatory, then the consequences of not sharing that data.
The above notice must be given to the data subject by the data subject at the first possible opportunity – that is, when the latter first requests personal data to be sent.
Under this principle, a data user cannot disclose a data subject’s personal data under these two conditions:
- Disclosure of data for a purpose other than the one disclosed or directly related to the agreed-upon disclosure
- Disclose to any party other than the designated class of 3rd parties agreed upon between the data user and data subject
Personal data disclosure is, however, permissible under the following:
- Prior consent from the data subject has been given.
- The disclosure is deemed necessary to detect or prevent crime or criminal investigation or legal action.
- The disclosure has been authorised/required by law enforcement agencies or the court.
- The data user believed that he was under a legal obligation to share personal data with another individual or party.
- The data user believed that the data subject would have given consent if the latter would have known of the disclosure and the circumstances around such disclosure.
- The personal data disclosure was justified and called for in the name of public interest and according to circumstances determined by the acting Minister.
This principle puts the data user under obligation to take specific measures to protect a data subject’s personal data from loss, modification, misuse, accidental/unauthorized, disclosure or destruction during processing. The following factors are to be considered:
- The personal data’s underlying nature and the harm which may ensue due to loss, modification, misuse, unauthorized/accidental disclosure or access, or destruction
- The location of the personal data storage
- Security measures which have been integrated within the equipment used to store the personal data
- Any measures taken to ensure the integrity, reliability and competence of the personnel who have access to that personal data.
- Measures are taken to ensure the secure transfer of all such data.
Also, a security policy must be prepared by the data user according to the 2013 Regulations.
This principle stipulates that personal data can only be retained for as long the main purpose for which it is must be processed has been fulfilled. The data user must destroy the data permanently once the data subject’s personal data is no longer required for processing purposes.
However, minimum data retention periods may apply under other laws, such as specific tax laws. With that said, it is quite unlikely that the retention of data under other laws would be termed as a contravention of this principle, though this has not been tested in practice.
Here’s a brief overview of the retention standards according to the 2015 Standards set by PDPA:
- Ensure that all legislation about personal data processing and storage is appropriately compiled and recorded before disposal
- Not retain the personal data longer than the required time for processing, unless specified otherwise by legal authorities, law enforcement agencies or the court.
- Prepare and maintain personal data disposal records which are to be submitted to the Commissioner when required.
- Dispose of personal data collection forms used for commercial transactions within 14 days, except that the form is of legislative value in regards to that commercial transaction(s).
- Review and dispose of personal data which is no longer required in the data user’s database
- Come up with a personal data disposal schedule for 24 months minimum for personal data which is inactive.
- Removable media device for storing personal data is prohibited unless allowed through written consent by the data user’s organization’s higher management.
Data Integrity Principle
Under this principle, the data user must take the appropriate steps to ensure that all personal data collected is entirely complete, accurate, up-to-date and not misleading regarding the underlying purpose for storing and processing such data.
According to the 2015 Standards, here’s a brief overview of the data integrity standards set by PDPA:
- Prepare a form for updating personal data which must be available either in tangible form or online.
- Upon receiving a personal data correction/amendment notice from the data subject, the personal data must be updated immediately without delays.
- Ensure that all the required legislation has been satisfied through identifying the type of documents/data required for supporting the personal data’s authenticity
- Inform the data subject about any updates which his/her personal data may require, either through a portal where the latter is registered or other appropriate channels to ensure that the data user receives notice.
The Access principle gives data users the right to access and correct his/her personal data in case it is incomplete, misleading, inaccurate or outdated. The PDPA provides stipulations under which a data user may refuse to comply with a data correction request put forth by the data subject.
- When a data subject puts forward a request to access their personal data, the data user must comply with this request within 21 days from the receipt of any such request.
- The data user is at liberty to impose a reasonable fee for providing access to the data, with the maximum fee fixed under the Personal Data Protection Fees Regulations of 2013.
- However, there are multiple exceptions to the above, especially where it might result in disproportionate expense.
Please keep a lookout for part three coming soon part three of the series; we discuss controller/processor contracts, data subject rights, health and financial sector breach reporting and data transfers.
[button link=”https://www.vinarcopdpa.com/the-malaysia-personal-data-protection-act-2010-all-you-need-to-know-part-1/” type=”big” color=”red”] Part One[/button]